[Freeipa-devel] service record conundrum
Rob Crittenden
rcritten at redhat.com
Thu Dec 3 04:15:31 UTC 2009
Here is sort of a tricky problem, need some advice (LONG).
When we bootstrap an IPA server we create a number of principals for the
server itself. We create a host/, HTTP/ and ldap/ principal using
kadmin.local. By using kadmin.local this entry is put into
cn=kerberos,dc=example,dc=com.
This has the nice side effect of making these records not appear as
service entries so they are unmodifiable by anyone, meaning an admin
will have a really hard time hosing their server.
The downside is that these records do not appear as service entries, so
if you search for services on the IPA server you'll get nothing.
Even worse it means you can't request certificates for these services,
because they don't exist. Not that one really should since we also
generate certificates for these at bootstrap, but we don't store them
anywhere because there isn't any place to put them. This also means that
we can't track expiration of these.
To make things even more fun we have the DS uniqueness plugin configured
so there can be no duplication in principal names. Since this is in the
RDN of service records we can't even create a bit of a bogus entry to
still protect the principals and yet be able to store certificates.
Remember too that these records are creating during installation,
effectively bootstrapping the real services (httpd, dirsrv), so we have
limited options for how to generate them to begin with.
One idea I had is to continue to use kadmin.local to create the
principals and then move them out of cn=kerberos into cn=services,
adding whatever additional data we need. This way we would maintain the
principalkeys. Then we'd need to insert the certificates we generate.
Unfortunately 389-DS doesn't seem to support newsuperior so I guess we'd
have to move it ourselves via delete and re-add.
So I'm basically stuck right now.
rob
More information about the Freeipa-devel
mailing list